Windows: warn when Secure Boot stops trusting the boot chain

Track Microsoft Windows Production PCA 2011 and Windows UEFI CA 2023 in the firmware db parser so the trust of the chainloaded Windows boot manager copy (bootmgfw_ms.vc) can be verified.

Add BootEncryption::GetEfiBootChainTrustStatus to check the installed VeraCrypt loader set and the bootmgfw_ms.vc signer against the active Secure Boot db, asserting nothing from malformed or partial firmware data.

Warn before reboot during Setup upgrade/repair and log a System Favorites service event when a boot chain component is no longer trusted, so Secure Boot certificate changes surface in Windows instead of as a pre-boot failure.

Refs #1655.
This commit is contained in:
Mounir IDRASSI
2026-07-06 22:24:26 +09:00
parent 48f8d87418
commit 7f24d98db2
48 changed files with 354 additions and 1 deletions
+166 -1
View File
@@ -2629,6 +2629,8 @@ namespace VeraCrypt
bool ContainsMicrosoftCorporationUefiCa2011;
bool ContainsMicrosoftUefiCa2023;
bool ContainsMicrosoftOptionRomUefiCa2023;
bool ContainsMicrosoftWindowsProductionPca2011;
bool ContainsWindowsUefiCa2023;
bool DbMalformed;
DWORD ParseError;
};
@@ -3015,6 +3017,85 @@ namespace VeraCrypt
0x77, 0x87, 0xEC, 0x67, 0x2E, 0xB9, 0x87, 0x06,
0x46, 0xDD, 0x41, 0x43, 0x40, 0x6A, 0x5F, 0x2F
};
// The two Windows boot manager signing CAs below are not used for loader-set selection.
// They are tracked so that the trust of the chainloaded Windows boot manager copy
// (bootmgfw_ms.vc) can be verified against the active Secure Boot db before a reboot.
// Microsoft Windows Production PCA 2011, SHA-1 thumbprint 580A6F4CC4E4B669B9EBDC1B2B3E087B80D0678D.
// DER source: https://go.microsoft.com/fwlink/p/?linkid=321192, SHA-256 E8E95F0733A55E8BAD7BE0A1413EE23C51FCEA64B3C8FA6A786935FDDCC71961.
static const uint8 microsoftWindowsProductionPca2011Rsa2048Modulus[256] =
{
0xDD, 0x0C, 0xBB, 0xA2, 0xE4, 0x2E, 0x09, 0xE3,
0xE7, 0xC5, 0xF7, 0x96, 0x69, 0xBC, 0x00, 0x21,
0xBD, 0x69, 0x33, 0x33, 0xEF, 0xAD, 0x04, 0xCB,
0x54, 0x80, 0xEE, 0x06, 0x83, 0xBB, 0xC5, 0x20,
0x84, 0xD9, 0xF7, 0xD2, 0x8B, 0xF3, 0x38, 0xB0,
0xAB, 0xA4, 0xAD, 0x2D, 0x7C, 0x62, 0x79, 0x05,
0xFF, 0xE3, 0x4A, 0x3F, 0x04, 0x35, 0x20, 0x70,
0xE3, 0xC4, 0xE7, 0x6B, 0xE0, 0x9C, 0xC0, 0x36,
0x75, 0xE9, 0x8A, 0x31, 0xDD, 0x8D, 0x70, 0xE5,
0xDC, 0x37, 0xB5, 0x74, 0x46, 0x96, 0x28, 0x5B,
0x87, 0x60, 0x23, 0x2C, 0xBF, 0xDC, 0x47, 0xA5,
0x67, 0xF7, 0x51, 0x27, 0x9E, 0x72, 0xEB, 0x07,
0xA6, 0xC9, 0xB9, 0x1E, 0x3B, 0x53, 0x35, 0x7C,
0xE5, 0xD3, 0xEC, 0x27, 0xB9, 0x87, 0x1C, 0xFE,
0xB9, 0xC9, 0x23, 0x09, 0x6F, 0xA8, 0x46, 0x91,
0xC1, 0x6E, 0x96, 0x3C, 0x41, 0xD3, 0xCB, 0xA3,
0x3F, 0x5D, 0x02, 0x6A, 0x4D, 0xEC, 0x69, 0x1F,
0x25, 0x28, 0x5C, 0x36, 0xFF, 0xFD, 0x43, 0x15,
0x0A, 0x94, 0xE0, 0x19, 0xB4, 0xCF, 0xDF, 0xC2,
0x12, 0xE2, 0xC2, 0x5B, 0x27, 0xEE, 0x27, 0x78,
0x30, 0x8B, 0x5B, 0x2A, 0x09, 0x6B, 0x22, 0x89,
0x53, 0x60, 0x16, 0x2C, 0xC0, 0x68, 0x1D, 0x53,
0xBA, 0xEC, 0x49, 0xF3, 0x9D, 0x61, 0x8C, 0x85,
0x68, 0x09, 0x73, 0x44, 0x5D, 0x7D, 0xA2, 0x54,
0x2B, 0xDD, 0x79, 0xF7, 0x15, 0xCF, 0x35, 0x5D,
0x6C, 0x1C, 0x2B, 0x5C, 0xCE, 0xBC, 0x9C, 0x23,
0x8B, 0x6F, 0x6E, 0xB5, 0x26, 0xD9, 0x36, 0x13,
0xC3, 0x4F, 0xD6, 0x27, 0xAE, 0xB9, 0x32, 0x3B,
0x41, 0x92, 0x2C, 0xE1, 0xC7, 0xCD, 0x77, 0xE8,
0xAA, 0x54, 0x4E, 0xF7, 0x5C, 0x0B, 0x04, 0x87,
0x65, 0xB4, 0x43, 0x18, 0xA8, 0xB2, 0xE0, 0x6D,
0x19, 0x77, 0xEC, 0x5A, 0x24, 0xFA, 0x48, 0x03
};
// Windows UEFI CA 2023, SHA-1 thumbprint 45A0FA32604773C82433C3B7D59E7466B3AC0C67.
// DER source: https://go.microsoft.com/fwlink/?linkid=2239776, SHA-256 076F1FEA90AC29155EBF77C17682F75F1FDD1BE196DA302DC8461E350A9AE330.
static const uint8 windowsUefiCa2023Rsa2048Modulus[256] =
{
0xBC, 0xB2, 0x35, 0xD1, 0x54, 0x79, 0xB4, 0x8F,
0xCC, 0x81, 0x2A, 0x6E, 0xB3, 0x12, 0xD6, 0x93,
0x97, 0x30, 0x7C, 0x38, 0x5C, 0xBF, 0x79, 0x92,
0x19, 0x0A, 0x0F, 0x2D, 0x0A, 0xFE, 0xBF, 0xE0,
0xA8, 0xD8, 0x32, 0x3F, 0xD2, 0xAB, 0x6F, 0x6F,
0x81, 0xC1, 0x4D, 0x17, 0x69, 0x45, 0xCF, 0x85,
0x80, 0x27, 0xA3, 0x7C, 0xB3, 0x31, 0xCC, 0xA5,
0xA7, 0x4D, 0xF9, 0x43, 0xD0, 0x5A, 0x2F, 0xD7,
0x18, 0x1B, 0xD2, 0x58, 0x96, 0x05, 0x39, 0xA3,
0x95, 0xB7, 0xBC, 0xDD, 0x79, 0xC1, 0xA0, 0xCF,
0x8F, 0xE2, 0x53, 0x1E, 0x2B, 0x26, 0x62, 0xA8,
0x1C, 0xAE, 0x36, 0x1E, 0x4F, 0xA1, 0xDF, 0xB9,
0x13, 0xBA, 0x0C, 0x25, 0xBB, 0x24, 0x65, 0x67,
0x01, 0xAA, 0x1D, 0x41, 0x10, 0xB7, 0x36, 0xC1,
0x6B, 0x2E, 0xB5, 0x6C, 0x10, 0xD3, 0x4E, 0x96,
0xD0, 0x9F, 0x2A, 0xA1, 0xF1, 0xED, 0xA1, 0x15,
0x0B, 0x82, 0x95, 0xC5, 0xFF, 0x63, 0x8A, 0x13,
0xB5, 0x92, 0x34, 0x1E, 0x31, 0x5E, 0x61, 0x11,
0xAE, 0x5D, 0xCC, 0xF1, 0x10, 0xE6, 0x4C, 0x79,
0xC9, 0x72, 0xB2, 0x34, 0x8A, 0x82, 0x56, 0x2D,
0xAB, 0x0F, 0x7C, 0xC0, 0x4F, 0x93, 0x8E, 0x59,
0x75, 0x41, 0x86, 0xAC, 0x09, 0x10, 0x09, 0xF2,
0x51, 0x65, 0x50, 0xB5, 0xF5, 0x21, 0xB3, 0x26,
0x39, 0x8D, 0xAA, 0xC4, 0x91, 0xB3, 0xDC, 0xAC,
0x64, 0x23, 0x06, 0xCD, 0x35, 0x5F, 0x0D, 0x42,
0x49, 0x9C, 0x4F, 0x0D, 0xCE, 0x80, 0x83, 0x82,
0x59, 0xFE, 0xDF, 0x4B, 0x44, 0xE1, 0x40, 0xC8,
0x3D, 0x63, 0xB6, 0xCF, 0xB4, 0x42, 0x0D, 0x39,
0x5C, 0xD2, 0x42, 0x10, 0x0C, 0x08, 0xC2, 0x74,
0xEB, 0x1C, 0xDC, 0x6E, 0xBC, 0x0A, 0xAC, 0x98,
0xBB, 0xCC, 0xFA, 0x1E, 0x3C, 0xA7, 0x83, 0x16,
0xC5, 0xDB, 0x02, 0xDA, 0xD9, 0x96, 0xDF, 0x6B
};
const size_t efiGuidSize = 16;
const size_t efiSignatureListHeaderSize = efiGuidSize + sizeof (uint32) * 3;
const size_t efiSignatureOwnerSize = efiGuidSize;
@@ -3066,6 +3147,16 @@ namespace VeraCrypt
{
support.ContainsMicrosoftOptionRomUefiCa2023 = true;
}
else if (!support.ContainsMicrosoftWindowsProductionPca2011
&& BufferHasPattern (certificate, certificateSize, microsoftWindowsProductionPca2011Rsa2048Modulus, sizeof (microsoftWindowsProductionPca2011Rsa2048Modulus)))
{
support.ContainsMicrosoftWindowsProductionPca2011 = true;
}
else if (!support.ContainsWindowsUefiCa2023
&& BufferHasPattern (certificate, certificateSize, windowsUefiCa2023Rsa2048Modulus, sizeof (windowsUefiCa2023Rsa2048Modulus)))
{
support.ContainsWindowsUefiCa2023 = true;
}
}
}
else if (BufferEquals (signatureList, efiCertRsa2048Guid, efiGuidSize))
@@ -3096,6 +3187,16 @@ namespace VeraCrypt
{
support.ContainsMicrosoftOptionRomUefiCa2023 = true;
}
else if (!support.ContainsMicrosoftWindowsProductionPca2011
&& BufferEquals (publicKey, efiRsa2048KeySize, microsoftWindowsProductionPca2011Rsa2048Modulus, sizeof (microsoftWindowsProductionPca2011Rsa2048Modulus)))
{
support.ContainsMicrosoftWindowsProductionPca2011 = true;
}
else if (!support.ContainsWindowsUefiCa2023
&& BufferEquals (publicKey, efiRsa2048KeySize, windowsUefiCa2023Rsa2048Modulus, sizeof (windowsUefiCa2023Rsa2048Modulus)))
{
support.ContainsWindowsUefiCa2023 = true;
}
}
}
@@ -3236,7 +3337,7 @@ namespace VeraCrypt
ThrowUnsupportedEfiSecureBootDb (L"firmware db and Secure Boot state could not be read; refusing to select an unsupported EFI bootloader signing CA", dwError);
// All Secure Boot state cases are handled above.
TC_THROW_FATAL_EXCEPTION;
ThrowUnsupportedEfiSecureBootDb (L"firmware db could not be read; refusing to select an unsupported EFI bootloader signing CA", dwError);
}
static void ThrowMissingEfiResource (const wchar_t* resourceName, bool rescueDisk)
@@ -6111,6 +6212,70 @@ namespace VeraCrypt
*pMicrosoft2023UefiCAsSupported = GetPreferredEfiBootLoaderResourceSet ().ResourceSet == VC_EFI_BOOT_LOADER_RESOURCE_SET_2023;
}
bool BootEncryption::GetEfiBootChainTrustStatus (EfiBootChainTrustStatus& status)
{
memset (&status, 0, sizeof (status));
SystemDriveConfiguration config = GetSystemDriveConfiguration();
if (!config.SystemPartition.IsGPT || !IsAdmin())
return false;
bool bSecureBootEnabled = false;
if (!TryFirmwareSecureBootEnabled (bSecureBootEnabled))
return false;
status.SecureBootEnabled = bSecureBootEnabled;
// Trust facts are only asserted from a fully parsed firmware db: acting on
// partial data could produce false "untrusted" reports.
FirmwareDbMicrosoftUefiCaSupport support;
if (!TryFirmwareDbGetMicrosoftUefiCaSupport (support) || support.DbMalformed)
return false;
DWORD recordedResourceSet = 0;
if (!ReadRecordedEfiBootLoaderResourceSet (recordedResourceSet))
return false;
status.InstalledResourceSet = recordedResourceSet;
if (recordedResourceSet == VC_EFI_BOOT_LOADER_RESOURCE_SET_2023)
status.VeraCryptLoaderTrusted = FirmwareDbMicrosoftUefiCaSupportContains2023Set (support);
else if (recordedResourceSet == VC_EFI_BOOT_LOADER_RESOURCE_SET_2011)
status.VeraCryptLoaderTrusted = support.ContainsMicrosoftCorporationUefiCa2011;
else
return false;
try
{
EfiBootInst.PrepareBootPartition (true);
// The signer family of the chainloaded Windows boot manager copy is identified by the
// issuer name embedded in its Authenticode certificate table. Like loader-set selection,
// this is a byte-presence heuristic, not a signature verification.
std::vector<uint8> loader;
if (EfiBootInst.ReadFileToBuffer (L"\\EFI\\Microsoft\\Boot\\bootmgfw_ms.vc", loader) && !loader.empty ())
{
static const char szWindowsProductionPca2011Name[] = "Microsoft Windows Production PCA 2011";
static const char szWindowsUefiCa2023Name[] = "Windows UEFI CA 2023";
bool bSignedThroughPca2011 = BufferHasPattern (loader.data (), loader.size (), szWindowsProductionPca2011Name, strlen (szWindowsProductionPca2011Name));
bool bSignedThroughWindowsCa2023 = BufferHasPattern (loader.data (), loader.size (), szWindowsUefiCa2023Name, strlen (szWindowsUefiCa2023Name));
if (bSignedThroughPca2011 || bSignedThroughWindowsCa2023)
{
status.WindowsLoaderSignerKnown = true;
status.WindowsLoaderTrusted =
(bSignedThroughPca2011 && support.ContainsMicrosoftWindowsProductionPca2011)
|| (bSignedThroughWindowsCa2023 && support.ContainsWindowsUefiCa2023);
}
}
}
catch (...)
{
// The EFI system partition could not be inspected; the VeraCrypt loader facts above remain valid.
}
status.StatusKnown = true;
return true;
}
#ifndef SETUP
void BootEncryption::CheckRequirements ()
{
+13
View File
@@ -232,6 +232,18 @@ namespace VeraCrypt
std::wstring BootVolumePath;
};
// Trust facts about the installed EFI boot chain, derived from the active Secure Boot db.
// Only valid when StatusKnown is true: partial or malformed firmware data never asserts facts.
struct EfiBootChainTrustStatus
{
bool StatusKnown; // Secure Boot state read and firmware db parsed completely
bool SecureBootEnabled;
bool VeraCryptLoaderTrusted; // signing CA(s) of the installed VeraCrypt EFI loader set found in db
bool WindowsLoaderSignerKnown; // signer family of EFI\Microsoft\Boot\bootmgfw_ms.vc identified
bool WindowsLoaderTrusted; // signing CA of bootmgfw_ms.vc found in db
DWORD InstalledResourceSet; // VC_EFI_BOOT_LOADER_RESOURCE_SET_2011 or VC_EFI_BOOT_LOADER_RESOURCE_SET_2023
};
class BootEncryption
{
public:
@@ -319,6 +331,7 @@ namespace VeraCrypt
static void UpdateSetupConfigFile (bool bForInstall);
void GetSecureBootConfig (BOOL* pSecureBootEnabled, BOOL *pVeraCryptKeysLoaded);
void GetEfiBootLoaderSigningSupport (BOOL* pMicrosoft2023UefiCAsSupported);
bool GetEfiBootChainTrustStatus (EfiBootChainTrustStatus& status);
bool IsUsingUnsupportedAlgorithm(LONG driverVersion);
void NotifyService (DWORD dwNotifyCmd);
protected:
+2
View File
@@ -1688,6 +1688,8 @@
<entry lang="en" key="SYSENC_EFI_UNSUPPORTED_SECUREBOOT_CA">Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot.</entry>
<entry lang="en" key="MACOSX_CHECK_FILESYS">A Terminal window will open after you press 'OK' and check the file system on the selected VeraCrypt volume using 'diskutil'. The result will be shown in that window.\n\nIf the check cannot be started, Disk Utility will be launched instead.</entry>
<entry lang="en" key="MACOSX_REPAIR_FILESYS">A Terminal window will open after you press 'OK' and attempt to repair the file system on the selected VeraCrypt volume using 'diskutil'. The result will be shown in that window.\n\nIf the repair cannot be started, Disk Utility will be launched instead.</entry>
<entry lang="en" key="SYSENC_EFI_LOADER_NOT_TRUSTED_BY_SECUREBOOT">Warning: Secure Boot is enabled, but the Microsoft UEFI CA that signs the installed VeraCrypt EFI bootloader was not found in the firmware Secure Boot database (db). The firmware may refuse to start VeraCrypt at the next reboot, so Windows will not start until Secure Boot is disabled or the trusted certificates/loader set are repaired.\n\nBefore restarting this computer, do not disable or remove Microsoft Corporation UEFI CA 2011 unless the firmware db contains both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023 and VeraCrypt has been repaired/reinstalled so the 2023-signed loader set is installed. Enable the required Microsoft certificates in the BIOS/UEFI settings if needed, then run VeraCrypt Repair/Reinstall. Make sure you have an up-to-date VeraCrypt Rescue Disk before restarting.</entry>
<entry lang="en" key="SYSENC_EFI_WINDOWS_LOADER_NOT_TRUSTED_BY_SECUREBOOT">Warning: Secure Boot is enabled, but the Microsoft CA that signs the Windows Boot Manager copy used by VeraCrypt (bootmgfw_ms.vc) was not found in the firmware Secure Boot database (db). After successful pre-boot authentication, the handoff to Windows may fail and the computer may return to the VeraCrypt password prompt.\n\nBefore restarting this computer, do not disable or revoke Microsoft Windows Production PCA 2011 unless Windows Boot Manager has migrated to a Windows UEFI CA 2023-signed version and the firmware db contains Windows UEFI CA 2023. Apply the Windows Secure Boot certificate updates, then run VeraCrypt Repair/Reinstall if needed. Make sure you have an up-to-date VeraCrypt Rescue Disk before restarting.</entry>
</localization>
<xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
<xs:element name="VeraCrypt">
+40
View File
@@ -10827,6 +10827,22 @@ static void SystemFavoritesServiceLogInfo (const wstring &infoMessage)
SystemFavoritesServiceLogMessage (infoMessage, EVENTLOG_INFORMATION_TYPE);
}
static bool IsUnsupportedEfiSecureBootDbException (const ErrorException &e)
{
return e.ErrLangId && strcmp (e.ErrLangId, "SYSENC_EFI_UNSUPPORTED_SECUREBOOT_CA") == 0;
}
static void SystemFavoritesServiceLogBootLoaderUpdateError (const wchar_t *operation, const ErrorException &e)
{
if (IsUnsupportedEfiSecureBootDbException (e))
{
SystemFavoritesServiceLogError (wstring (operation) + L" failed: Secure Boot is enabled, but the firmware Secure Boot db does not trust any Microsoft UEFI CA set supported by VeraCrypt. See HKLM\\SOFTWARE\\VeraCrypt\\Diagnostics\\EfiBootLoader for the recorded selection reason.");
return;
}
SystemFavoritesServiceLogError (wstring (operation) + L" failed while updating the boot loader.");
}
static void SystemFavoritesServiceSetStatus (DWORD status, DWORD waitHint = 0)
{
@@ -10884,8 +10900,28 @@ static void SystemFavoritesServiceUpdateLoaderProcessing (BOOL bForce)
SystemFavoritesServiceLogInfo (L"SystemFavoritesServiceUpdateLoaderProcessing: InstallBootLoader calling");
bootEnc.InstallBootLoader (true);
SystemFavoritesServiceLogInfo (L"SystemFavoritesServiceUpdateLoaderProcessing: InstallBootLoader called");
// Record in the event log when the active Secure Boot db no longer trusts a
// component of the boot chain (e.g. after a Secure Boot certificate update),
// so that a subsequent pre-boot failure can be diagnosed from Windows.
try
{
EfiBootChainTrustStatus trustStatus;
if (bootEnc.GetEfiBootChainTrustStatus (trustStatus) && trustStatus.StatusKnown && trustStatus.SecureBootEnabled)
{
if (!trustStatus.VeraCryptLoaderTrusted)
SystemFavoritesServiceLogWarning (L"Secure Boot chain check: the firmware Secure Boot db does not trust the Microsoft UEFI CA that signs the installed VeraCrypt EFI bootloader. Pre-boot authentication may fail at the next reboot.");
else if (trustStatus.WindowsLoaderSignerKnown && !trustStatus.WindowsLoaderTrusted)
SystemFavoritesServiceLogWarning (L"Secure Boot chain check: the firmware Secure Boot db does not trust the Microsoft CA that signs the Windows boot manager copy used by VeraCrypt (bootmgfw_ms.vc). The handoff to Windows after pre-boot authentication may fail at the next reboot.");
}
}
catch (...) { }
}
}
catch (ErrorException &e)
{
SystemFavoritesServiceLogBootLoaderUpdateError (L"SystemFavoritesServiceUpdateLoaderProcessing", e);
}
catch (Exception &)
{
SystemFavoritesServiceLogError (L"SystemFavoritesServiceUpdateLoaderProcessing failed while updating the boot loader.");
@@ -11202,6 +11238,10 @@ int WINAPI wWinMain (HINSTANCE hInstance, HINSTANCE hPrevInstance, wchar_t *lpsz
bootEnc.InstallBootLoader (true);
}
}
catch (ErrorException &e)
{
SystemFavoritesServiceLogBootLoaderUpdateError (L"PostOOBE boot loader update", e);
}
catch (Exception &)
{
SystemFavoritesServiceLogError (L"PostOOBE boot loader update failed.");
+16
View File
@@ -1799,6 +1799,22 @@ BOOL UpgradeBootLoader (HWND hwndDlg)
bootEnc.InstallBootLoader (true);
// Verify the whole boot chain against the active Secure Boot db before the user
// reboots: a component that the firmware no longer trusts (e.g. after a Secure Boot
// certificate update) would otherwise only surface as a pre-boot failure.
try
{
EfiBootChainTrustStatus trustStatus;
if (bootEnc.GetEfiBootChainTrustStatus (trustStatus) && trustStatus.StatusKnown && trustStatus.SecureBootEnabled)
{
if (!trustStatus.VeraCryptLoaderTrusted)
Warning ("SYSENC_EFI_LOADER_NOT_TRUSTED_BY_SECUREBOOT", hwndDlg);
else if (trustStatus.WindowsLoaderSignerKnown && !trustStatus.WindowsLoaderTrusted)
Warning ("SYSENC_EFI_WINDOWS_LOADER_NOT_TRUSTED_BY_SECUREBOOT", hwndDlg);
}
}
catch (...) { }
if (bootEnc.GetInstalledBootLoaderVersion() <= TC_RESCUE_DISK_UPGRADE_NOTICE_MAX_VERSION)
{
bUpdateRescueDisk = TRUE;
+33
View File
@@ -94,6 +94,15 @@ BOOL bUpdateRescueDisk = FALSE;
BOOL bRepairMode = FALSE;
BOOL bUserSetLanguage = FALSE;
static BOOL EfiBootLoaderSelectionWasRefused ()
{
DWORD resourceSet = 0;
return ReadLocalMachineRegistryDword (
(wchar_t *) VC_EFI_BOOT_LOADER_DIAGNOSTICS_REGISTRY_KEY,
(wchar_t *) VC_EFI_BOOT_LOADER_RESOURCE_SET_VALUE_NAME,
&resourceSet) && resourceSet == 0;
}
/*
BOOL bMakePackage = FALSE;
BOOL bDone = FALSE;
@@ -1817,6 +1826,30 @@ BOOL UpgradeBootLoader_Dll (MSIHANDLE hInstaller, HWND hwndDlg)
// this is done by the service now
//bootEnc.InstallBootLoader (true);
// Verify the installed boot chain against the active Secure Boot db before the user
// reboots: a component that the firmware no longer trusts (e.g. after a Secure Boot
// certificate update) would otherwise only surface as a pre-boot failure. In the MSI
// upgrade path, the System Favorites service has already attempted the loader refresh.
try
{
if (EfiBootLoaderSelectionWasRefused ())
{
MSILogAndShow (hInstaller, MSI_WARNING_LEVEL, GetString("SYSENC_EFI_UNSUPPORTED_SECUREBOOT_CA"));
}
else
{
EfiBootChainTrustStatus trustStatus;
if (bootEnc.GetEfiBootChainTrustStatus (trustStatus) && trustStatus.StatusKnown && trustStatus.SecureBootEnabled)
{
if (!trustStatus.VeraCryptLoaderTrusted)
MSILogAndShow (hInstaller, MSI_WARNING_LEVEL, GetString("SYSENC_EFI_LOADER_NOT_TRUSTED_BY_SECUREBOOT"));
else if (trustStatus.WindowsLoaderSignerKnown && !trustStatus.WindowsLoaderTrusted)
MSILogAndShow (hInstaller, MSI_WARNING_LEVEL, GetString("SYSENC_EFI_WINDOWS_LOADER_NOT_TRUSTED_BY_SECUREBOOT"));
}
}
}
catch (...) { }
if (bootEnc.GetInstalledBootLoaderVersion() <= TC_RESCUE_DISK_UPGRADE_NOTICE_MAX_VERSION)
{
bUpdateRescueDisk = TRUE;